Agent-Based Attack and Defense for an Intranet Environment
Download
Report
Transcript Agent-Based Attack and Defense for an Intranet Environment
Agent-Based Attack and Defense for
an Intranet Environment
Dr. Yuh-Jong Hu
Tsai Chang-hsien, and Pan Hsien-kuo
{jong, s8514, s8552}@cherry.cs.nccu.edu.tw
Emerging Network Technology(ENT) Lab
Dept. of Computer Science
National Chengchi University, Taipei, Taiwan
Software Agent Definitions
An agent is a computer system, situated in some
environment, that is capable of flexible autonomous action
in order to meet its design objectives(1).
Three key concepts in this definition: situatedness,
autonomy, and flexibility.
Software agent can be classified as: stationary agent and
mobile agent
Mobile agent security concerns are hosts protection,
agents protection, and agent trustworthiness, while
stationary agent security concern is agent
trustworthiness.
Definitions of Information Warfare
Information warfare consists of those actions intended to
protect, exploit, corrupt, deny, or destroy information or
information resources in order to achieve a significant
advantage, objective, or victory over an adversary(17).
Information warfare can be dichotomized as(5)(6):
Offensive Information Warfare
Defensive Information Warfare
Offensive and defensive information warfare is
considered as a primal and dual problem.
Definitions of Information Warfare(Conti.)
Offensive information warfare operations produce a winlose outcome by altering the availability and integrity of
information resources to the benefits of the offensive and
to the detriment of defensive(5).
Defensive information warfare seeks to protect
information resources from attack, to preserve the value of
resources, or in the event of a successful attack, recover
lost value(5).
Internet vs. Intranet Information Warfare
An Intranet information warfare was exercised in a
protection network domain with firewall as a
gatekeeper.
The domain for Internet information warfare is larger
than simple Intranet warfare subdomain so to simulate
an Internet warfare is much harder.
Internet information warfare is advantage to offensive
side due to the widespread of defensive weakness area.
Why Agent-Based Information Warfare?
Pure manual-based information warfare operations are
cumbersome, tedious, and the attack and defense
strategies are not easy to formulate.
Agent-based information warfare provides autonomous,
proactive, reactive, and cooperative attack/defense
operations.
Attack/defense strategies are easy to formulate and the
attack/defense operations initiative is transparent.
Agent-based information warfare does not exclude
manual-based attack/defense.
How Agent-Based Information Warfare?
Some of software agent’s characteristics, such as
situatedness, autonomy, and flexibility(responsive, proactive, social) are demonstrated in agent-based offensive
and defensive information warfare.
Agents are classified into several categories to play their
specific missions in our offensive/defensive information
warfare.
Some of existing manual operation codes to exploit
system vulnerability are reused in our agent-based
offensive, including scanner, remote exploit, local
exploit, and monitoring tools, etc.
How Agent-Based Information
Warfare?(Conti)
All of our offensive/defensive agents are codes in Java,
so we must handle the integration problems between
Java and other existing intrusion tools.
Offensive and defensive information warfare were
developed by two different groups and the warfare were
lasted for 5 days in our ENT lab’s Intranet.
The initiative of agent-based offensive/defensive
information warfare can be taken be anyone, who did
not have too much cyberspace attack and defense
knowledge.
We expect to increase the power of attack/defense via
agent technology.
RedHat
Linux
CheckPoint Firewall-1
Linux
RedH
at
Window
s
NT
Server
Window
s
98
NT
Client
Windo
ws 98
Information Warfare Win-Lose Criteria
Offensive group and defensive group discussed the
project together but implemented the system separately.
The advantage to the offensive group is the familiarity
of our Intranet environment without too much further
probing activities.
The advantage to the defensive group is the protection
of firewall with flexible security policies adjustment.
In general, there are several win-lose criteria to evaluate
the offensive and defensive warfare achievements.
We did not consider social engineering attack/defense
issues via our agent-based system.
Information Warfare Win-Lose Criteria(Conti.)
Win-lose criteria for offensive group to achieve the
following attacks successfully:
denial of service attack
data integrity attack
data confidentiality attack
end-user general permission attack
root privileged permission vulnerability attack
Information Warfare Win-Lose Criteria(Conti.)
Win-lose criteria for defensive group to achieve the
following defenses successfully:
timely detect all kinds of attacks
accurately decide the attack category
properly react to the anomalous intrusion
effectively recover from the successful attack
cooperate with firewall to counter similar attacks
Agent-Based Offensive Information Warfare
Scanning, remote exploiting, local exploiting, monitoring,
and stealth are all exercised via software agents(1).
Offensive software agents are classified as: scanning
agent, master agent, attack agent, and repository agent.
Scanning agent is embedded with Nessus probing tools.
Master agent is the decision maker to launch the right
exploit codes based on scanning agent‘s probing
results.
Attack agent loads the right exploit codes to attack.
Repository agent stores and classifies different exploit
codes for future possible attacks.
Agent-Based Offensive Information
Warfare(Conti.)
Offensive procedures are:
(1) Master agent submits targets(IP) to scanning agent.
(2) Scanning agents probe targets information.
(3) Scanning agents return information to master agent.
(4) Master agent analyze information and decide the
suitable attack policies and mechanisms.
(5) Master agent fires the attack actions and the attack
agents do the real attack.
(6) If root account was obtained, agent will clean the log
files and set up backdoor for future similar attacks.
Master Agent GUI
Tools and Techniques for Agent-Based
Offensive Information Warfare
Nessus scanning tools
Java socket
JNI(Java Native Interface)
Rootkit
Loki2
Crack
Satan
Back Orifice
Java Native Interface
Attack Agent
JNI
Exploit
Code
Database
Attacking
JNI implement
For example, the exploit code is written by C .
(1)Writing a java function to load exploit code.
(2)Using javah to create .h file from the java class.
(3)Include the .h file in exploit code.
(4)Using JNI in the exploit code to transfer parameters.
(5)Compiling this exploit code to a new library.
Agent Communication Interfaces
Master
Agent
Attack
Detect
Scan
Parse
Analyze
Attack
Repositor
y Agent
Attack
Tools
Detect
Agent
Log
Agent
Attack
tools
JNI
Agent
Repository
Agent
Generato
r Agent
Repository
Agent
Attack Methods
Sniffer
FTP Conversions Attack
Userhelper and PAM Vulnerabiliy
Backdooring
Log Cleaning
FTP Conversion Attack
A user can convert/archive/compress data on
the fly when retrieving files from a FTP server.
Request a filename and
appends .tar/.tar.gz/.Z/.gz to the filename
Tar arguments:
--use-compress-program PROG
Backdooring
Backing up passwd/shadow files
Adding a temp user
Getting your login trojan
Install login trojan
Being smart
Log Cleaning
/etc/syslog.conf
/var/log/messages
/var/log/secure (TCP Wrapper log)
/var/log/xferlog
/var/log/wtmp
~/.bash_history
Agent-Based Defensive Information Warfare
Intrusion detection, attack recognition and reaction,
counter attacks and damage recovery are all operated
via software agents.
Defensive software agents are based on client-server
model with client side as responsive agents and server
side as supervisor agent.
Responsive agent is composed of agent manager,
security manager, and a group of Java agent entities.
Supervisor agent is composed of alert manager,
decision manager, agent register, and host display.
Agent-Based Defensive Information
Warfare(Conti.)
Responsive agents are responsible for the timely
detecting all kinds of intrusion so they are distributed
over the entire Intranet’s hosts.
Supervisor agent accurately decides the intrusion
category and properly react to the anomalous intrusion.
Supervisor agent with responsive agents must
effectively recovers from the successful attack.
Supervisor agent and a group of responsive agents
cooperate with firewall to counter any kinds of attack.
User Interface
Server
Client
Responsive
FTP (port21)
Agent Manager
TELNET (port23)
SMTP (port 25)
HTTP (port 80)
Security Manager
Other Service
User Interface
Server
Supervisor
Host Display
Decision
Manager
Alert Manager
Agent Register
Client
Client
Client
Defensive
Steps
Server
Supervisor
Agent
Host Display
Alert Manager
1
0
9
Decision
Manager
4
3
8
Responsive
Agent
Agent Manager
5
Agent
entity
2
Agent
entity
Agent
entity
1
Services
Client
7
6
Supervisor GUI
Supervisor GUI
Tools and Techniques for Agent-Based
Defensive Information Warfare
Check Point FireWall-I
Apache Web Server
War-FTP
Sniffer
Java programming language
Scanner for detecting Internal Intranet/hosts weakness
Log files analyzer for:
system status report
network status report
network services report
FireWall Authentication
Use client authentication and user authentication to
protect TELNET and FTP services.
After successful client authentication, we allow
connections from a specific IP address.
When a rule was specified for user authentication, the
corresponding FireWall-I security server is invoked to
mediate the associated connections.
Agent-Based Defensive Rule
When agent entity detects denial of Telnet and FTP
services, supervisor agent bans the initiative attacks IP.
When agent entity detects mail bomb, supervisor agent
bans the initiative attacks IP.
When agent entity detects denial of HTTP services,
supervisor agent alerts system administrator.
Agent entity checks the services that FireWall-1 allows,
and reports whether the services are still alive.
Agent-Based Offensive Information Warfare
vs. Firewall Services
Agent-based offensive information warfare must adjust
its attack strategy to different level of firewall services.
Configure firewall network services allows us to
simulate the attacks under different tightness level of
network security policy and mechanism.
The tightest control of firewall’s network services might
reduce a lot of outside attack events but it also reduces
the network services availability and flexibility.
Agent-Based Defensive Information Warfare
vs. Firewall Services
Agent-based defensive information warfare aims at
handling intrusion detection so it must cooperate with
firewall’s intrusion prevention.
Ideally, defense agents must dynamically adjust
different level of firewall services based on system,
network status, and end-user services request.
Awareness of different level of firewall services can
reduce a lot of efforts to analyze the system/network
log files.
Downgrade Firewall Services for Different
Phases of Warfare
The information warfare was lasted for 5 days and the
FireWall-1 service policies were downgraded gradually
to simulate the real world Internet security protection
level.
Day 1: smtp, ftp, http, telnet
Day 2: default
Day 3: gopher, pop-3, tftp, who
Day 4: dns, echo, nntp, ntp-tcp
Day 5: all
Fictitious Auction Server for Mobile Agent
Services(Not Done Yet]
An fictitious auction server is going to set up within the
Intranet to provide mobile agents to bid the auction
items.
In general, firewall does not provide mobile agent’s
(code) authentication and authorization so auction
server must handle this issue by itself.
Flexibility and security are always in conflict. Mobile
agent provides flexibility bidding services but it reduces
the Intranet security.
The popularity of Java code makes the possibility of
providing mobile code services within the Intranet.
Mobile Agent Security Issues
Mobile agent(code) security is an emerging research
problem because of the attractive of mobile agent
services and the popularity of Java mobile code.
Hosts(network) protection, agents protection, and
agents trustworthiness are the major research issues.
Hosts(network) protection is a traditional problem
except the relaxation of adoption foreign codes
constraints.
Agents protection is a hard problem.
Agents trustworthiness is handled via agent
authentication and authorization.
Mobile Agent Authentication and
Authorization
Java 2 provides some basic authentication and
authorization mechanisms but not enough.
Existing X.509 authentication services framework might
not general and robust enough to handle mobile agent
authentication and authorization problem.
We need a distributed trust management framework,
which allow us to generate a lot of mobile agents that
can be verified and granted access rights dynamically.
The mobile agent system engines must set up for each
platform before the Intranet can provide mobile code
services.
Conclusion
Offensive and defensive information warfare must
consider together in order to realize the attack and
defense strategy in an optimal manner so we consider
this is a primal and dual problem.
What software agent characteristics can be shown in the
agent-based information warfare to enhance our attack
or defense power is the primary reason for us to adopt
agent technology.
We did not know the power of agent-based information
warfare for Internet and for social engineering attack
and defense.
References
(1)Boulanger, A., Catapults and grappling hooks: The tools
and techniques of information warfare. IBM System
Journal, 37(1), 1998, 106-114.
(2)Cohen, Fred, Information System Attacks: A
Preliminary Classification Scheme. Computers &
Security, 16(1997), 29-46.
(3)Cohen, Fred, Information Systems Defences: A
Preliminary Classification Scheme. Computers &
Security, 16(1997), 94-114.
References(Conti.)
(4)Crosbie, M. and Spafford, G., Defending a Computer
System using Autonomous Agents
http://www.cs.purdue.edu/coast/projects/autonomou
s-agents.html
(5)Denning, E. Dorothy, Information Warfare and Security.
Addison-Wesley, 1999.
(6)Dorothy, E. Denning, Cyberspace Attacks and
Countermeasures. Internet Besieged: Countering
Cyberspace Scofflaws. AW, 1998.
References(Conti.)
(7)Farmer, D. and Venema, W., Improving the Security of
Your Site by Breaking Into it.
http://www.epm.ornl.gov/~dunigan/cracking.html(8)
Farmer, D. and Venema, W., SATAN-Security Analysis
Tool for Auditing Networks.
(9)Farmer, D. and Spafford, E. The COPS Security Checker
System. Proceedings of Summer USENIX Conference,
1990, 165-170.
(10)Forrest, S., Hofmeyer, A. S., and Somayaji, A.,
Computer Immunology. CACM, 40(10), Oct. 1997.
References(Conti.)
(11)Greenberg, S. M., Byington, J. C., and Harper, D. G.,
Mobile Agents and Security, IEEE Communications
Magazine, July 1998.
(12)Jennings, R. N., Sycara, K., Wooldridge, M., A
Roadmap of Agent Research and Development.
Autonomous Agents and Multi-Agent Systems, 1, 7-38,
1998.
(13)Mukherjee, B., Heberlein, L. T., and Levitt, K. N.,
Network Intrusion Detection. IEEE Network, 8(3), 26-41,
May/June, 1994.
(14)The Nessus Project, http://www.nessus.org.
References(Conti.)
(15)Paller, A., SHADOW(SANS’s Heuristic Analysis for
Defensive Online Warfare), SANS Institute,
http://www.sans.org.
(16)Porras, A. P., Neumann, P. G., EMERALD: Event
Monitoring Enabling Responses to Anomalous Live
Disturbances, 1997 National Information Systems
Security Conference,
http://www.csl.sri.com/intrusion.html.
(17)Schwartau, Winn, Information Warfare, 2nd Edition,
Thunder’s Mouth Press, 1996, p. 12.
(18)Thorn, T., Programming Languages for Mobile Code.
ACM Computing Surveys, 29(3), Sep. 1997.